Sandbox technology, one kind of security technologies, means to run applications in a limited secure environment and to realize the logic isolation effect for data through access control. The earliest application of sandbox technology is to direct the files generated and modified by programs to customized virtual space by means of redirecting technology. When a certain program tries to play a role, security software can make it run in the sandbox firstly. If the program contains malicious act, the security software will forbid its further run. Thus no damage will be caused for the system. Subsequently, with the development of the demand of data security, the redirecting virtual technology of the sandbox also has been usually used in the “Anti-Disclosure” product.
Local redirecting technology means that any operation on a local file A is redirected to be the operation on a local copy B to protect the local real file A. The downloaded and locally saved file is actually redirected to be saved as another copy. The saving path originally set by the user only exists as a virtual file link.
In the traditional sandbox technology, one file is downloaded from a server by a user and encrypted and saved in a local hidden copy by means of local transparent encryption technology. A virtual file link is furthermore realized on the saving path for original file in the virtual workspace. The user cannot see the downloaded file completely outside the virtual workspace because the file has been redirected to the hidden copy, while a virtual copy of the copy can be seen in the virtual workspace. All operations on the copy will be redirected to the hidden copy. When the user logs out, the hidden copy is emptied automatically to realize the logic isolation effect.
FIG. 1 shows an exemplary diagram for the logic isolation of tradition sandbox technology. Referring to FIG. 1, a user accesses an operational system server and further a certain key file by means of a security gateway. The key file is encrypted and saved to the local by a local user terminal to form a copy which can only be accessed in the safety space. When the user accesses the file in the safety space, the content of encrypted and saved copy is presented to the client by means of transparent decryption. After the user logs off this session, the encrypted copy can be selected whether to be deleted automatically or not. If the automatic deletion has been adopted, the copy edited last time cannot be accessed and it is needed to download the file again by accessing the operation system again, when the user logs in the same PC again. If the automatic deletion has not been adopted, the copy edited last time can then be accessed when the user logs in the same PC again. However, there are the problems that the local encrypted file is decrypted or that the local encrypted file is deleted when it is formatted off line. The above mentioned traditional sandbox technology depends on the encryption intensity of the local data. If the intensity of the encryption algorithm is too low, there will be the possibility that the file is decrypted in off-line state. But if the intensity of the encryption algorithm is too high, it will influence the usage and the experience severely and enhance the complexity to realize the transparent encryption and decryption at the same time. Secondly, the encryption and storage causes inherent defect for the “key file” in the aspect of authority sharing, and it is hard to realize the file sharing strategy within the extent of authority.
Additionally, for the traditional sandbox technology, since the data is encrypted and saved in the local disc, the user must log in the same user terminal to access the file saved last time. Applying the logic isolation method as shown in FIG. 1, the same file cannot be shared or accessed by two different users (the user B and the user A). Besides, if the local disc is formatted or deleted artificially, the file can never be accessed again.